Facebook Tips to Make Password Privacy Issue a Non-issue

Facebook is in the middle of another hubbub over companies asking prospective employees for their login information for the social networking site as part of the hiring process, but you can make the obvious privacy concern a non-issue by being careful. I cannot stress this point enough – even temp agencies require you to give them access to your account to see what kind of person you are before they hire you. (We would always recommend you show them your page, instead of giving them your login information, if possible.)

Here are a few tips to help you enjoy the service and not worry about interfering with your ability to land that perfect job.

The bottom line: A little Facebook savvy goes a long way.

First, understand that Facebook isn’t private. Yes, you can choose your friends and to some degree limit what people see about your posts, but plenty of interested parties actually have a window into what you’re sharing. For one thing, the social network keeps track of everything you do on its territory so as to push hyper-targeted ads to you.

Timeline, for example, has been widely criticized for communicating too much about users because it visually aggregates everything you’ve ever done on the site — the information you’ve included on your profile, your photos, everything you’ve ever “liked,” any Facebook apps you’re using, a map showing where you’ve been (according to geo-tagged posts and photos), as well as a timeline of everything you’ve ever posted.

And by encouraging people to create an online scrapbook and add to Timeline extra information about their lives — all the way back to birth if they want — Facebook gleans even more personal data about its users. The point is to deliver ads that users are more likely to click on.

Speaking of ads, PCWorld recently reported that “liking” something on Facebook can make you an unwitting and unpaid endorser of an advertiser’s products or services. Once you “like” a company page, check in at a merchant location, post an update mentioning a product, service, or company, your activity can be used as an ad. That’s because your friends may receive an update informing them of your activity — whether you want Facebook to share it or not.

You can’t opt out of these Sponsored Stories.

Second, use online etiquette so there’s less dirt on you to find. A couple of online behaviors are not only annoying to other users, they can be telling to potential employers investigating your online profile. Take political spewing, for example. You know that Facebook friend who constantly posts commentary about political issues? How often are you completely in agreement with his perspective? That’s because political opinions are divisive. Polite Facebook users don’t push their political agendas onto their friends.

Online complaining is another common practice that makes people look bad. If your girlfriend just dumped you or you lost your house or job, it’s best to keep it to yourself — at least digitally. The people who want to hear your sad story have a relationship with you in the real world; Facebook isn’t the place to air your troubles.

I know I shouldn’t have to say this – don’t post negative items about your current or former employer, gossip about your work place or complain about your work environment, past or present. It is a big red flag for prospective employers.

Third, use Facebook to your advantage rather than disadvantage. Instead of worrying about what people will find when they vet you online, how about being proactive about everything you share?

Like it or not, your digital identity is what defines you to potential employers and recruiters seeking you out online. And if you’re interested in pushing your career forward, experts suggest that you take your digital identity seriously. The right words, photos, and social media banter online can impress a prospective employer or recruiter, while the wrong ones may turn them off.

All of this isn’t to say that the practice of asking someone to hand over their social media login credentials is OK — far from it. For one thing, your friends haven’t necessarily given permission for non-friends to see their posts.

At the same time, over-sharing online can cause you problems because people you don’t expect may be watching; avoid doing so and you’ll be better off.



Windows 8 rumored to complete this summer for October launch

We all know that Windows 8 is coming, and many computer makers have big plans for using the operating system in a new generation of tablets to challenge the iPad. People claiming to have knowledge of Microsoft’s schedule are saying that Windows 8 will be finished this summer and will go on sale around October. The October window for launch would be no surprise with the holiday shopping season coming shortly thereafter.

So far, it has been reported that the Windows 8 rollout will include devices using Intel processors and ARM processors. Many people are hoping that Windows 8 machines using ARM processors will be cheaper than those running Intel parts. However, the sources claim there will be under five ARM devices available when Windows 8 launches while there are over 40 set to be available with Intel parts inside.

Analysts are saying if Microsoft misses the September to October launch window, Windows 8 tablets and computers won’t be able to ship in 2012. Rumors also state three of the available Windows 8 devices using ARM processors will be tablets. If fewer than five devices with ARM processors running Windows 8 will come at launch, that leaves room for only one notebook with ARM hardware.

Ten Ways to Dodge CyberBullets, Part 10

10. Don’t be a crackhead

This is the tenth and final in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t use cracked/pirated software. Such programs provide an easy avenue for introducing malware into (or exploiting weaknesses in a system. The illegal P2P (peer-to-peer) distribution of copyrighted audio and video files is dangerous. Some of these are counterfeited or modified so that they can be used directly in the malware distribution process.

Even if a utility seems to come from a trusted and trustworthy source rather than Mrs. Miggins’ Warez Emporium, it pays to verify as best you can that it’s genuine.

Win32/GetCodec.A, which is as common now as it was a year ago, is a type of malware that modifies media files. This Trojan converts all audio files found on a computer to the WMA format and adds a field to the header that includes a URL pointing the user to malicious content, claiming that the fake “codec” has to be downloaded so that the media file can be read.

WMA/TrojanDownloader.GetCodec.Gen is a downloader that facilitates infection by GetCodec variants like Win32/GetCodec.A.

Passing off a malicious file as a new video codec is a long-standing social engineering technique exploited by many malware authors and distributors. The victim is tricked into running malicious code he believes will do something useful or interesting. While there’s no simple, universal test to indicate whether what appears to be a new codec is a genuine enhancement or a Trojan horse of some sort, we would encourage you to be cautious and skeptical about any unsolicited invitation to download a new utility. Even if the utility seems to come from a trusted site, it pays to verify as best you can that it’s genuine.


Ten Ways to Dodge CyberBullets, Part 9

9. Be wireless, not careless

This is the ninth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t connect to just any “free Wi-Fi” access point; it might alter your DNS queries or be the “evil twin” of a legitimate access point, set up to intercept your logins and online transactions. (When I have occasion to see what networks are being offered me in hotels, airports, even in the block where I live, I have to wonder how many of them are legitimate…)

Here’s a summary of some of the most important points to remember:

Be aware of some common security issues with hot spots:

  1. “Evil twin” login interception, a scenario where a network is set up by hackers to resemble legitimate Wi-Fi hot spots, in order to intercept your login credentials for legitimate networks and sites
  2. Previously unknown (zero-day) attacks exploiting operating system or application vulnerabilities.
  3. Sniffing, or using computer software and/or hardware to intercept and monitor traffic passing over a network.
  4. Other forms of data leakage using man-in-the-middle attacks.

Also be aware of ways to reduce your attack surface and protect your computer:

  1. Ensure VPN pass-through ports are enabled, but don’t allow a high port free-for-all; professional system administrators open only necessary ports. This doesn’t stop all attacks, but it does reduce them.
  2. Use HTTPS to access webmail.
  3. Avoid protocols that don’t include encryption wherever possible.
  4. Disable sharing of files, folders, services.
  5. Avoid connecting to sites that transfer sensitive data, your banking information, for instance, when connected to an untrusted access point.
  6. Ensure you’re using sound firewalling, antimalware, host intrusion prevention system and so on.

Ten Ways to Dodge CyberBullets, Part 8

8. Antivirus isn’t total security

This is the eighth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

Don’t expect antivirus alone to protect you from everything.

Use additional measures such as a personal firewall, antispam and anti-phishing toolbars, but be aware that there is a lot
of fake security software out there. This means that you need to take care to invest in reputable security solutions, not
malware, which claims to fix nonexistent problems, or toolbars that are designed to divert you away from the sites you want to visit and toward the ones that generate revenue for adware providers.

Apart from that, even the best protection might not protect you as well as common sense and caution do. There is no silver bullet in protection in malware, which is why we always advocate multilayering or defense in depth. Specifically, don’t fall for the “I can do anything and click on anything because my antivirus will protect me” trap. There seems to be a temptation for people to cluster at one of two extremes.

  • Some people have such touching faith in their AV that they assume it will catch everything malicious that’s thrown at their system, so they don’t run anything else and are convinced that they don’t need to think about their own security. When they eventually find that their system has been infected, whether it’s by something they’ve clicked on incautiously or something a little more subtle like a zero-day vulnerability or a drive-by download, they feel betrayed and angry. That’s understandable, but it comes from a misunderstanding of the limitations of all security software. For every technical solution (not just AV), there is at least one way of getting around it.
  • Others take the view that antivirus is no use at all because it “only detects malware it already knows about.” That isn’t the case; only the most primitive modern antimalware relies purely on signatures of known malware variants. Good antimalware products incorporate tools like generic detection, advanced heuristics, sandboxing, whitelisting and so on into an integrated product that catches a high percentage of all malware, not just viruses.

The danger in both scenarios is that the individual is tempted to substitute one partially successful solution for another. (Some marketing departments may overstate the effectiveness of a product, but that isn’t a problem restricted to the antimalware industry, or even the security industry!)

The trick is not to rely solely on one solution at all. A diverse spread of partially successful solutions may be more successful… However, note that word diverse. For most people, half a dozen antivirus packages on a single desktop machine are likely to cause more problems than they solve… By multilayering, I mean using a diversity of product types. Using multiple antivirus products may catch more specific malicious programs, but the increased detection may not be worth the additional strain on resources and risk of program conflicts, false positives and so on.

Also, please bear in mind that malware gangs spend a lot of development time tweaking binaries so that they will evade specific scanners. The more effective a scanner is, the likelier it becomes that it will be targeted in this way.

This is why we recommend supplimenting your antivirus program with two scanners for malware – Malwarebytes and Spybot Search & Destroy. These last two programs have a free license to use them, however they do require manual updates and manual scanning. Only the paid versions will offer automatic updates and scanning.

Ten Ways to Dodge CyberBullets, Part 7

This is the seventh in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

7. Call for backup

If sensitive information is stored on your hard drive (and if you don’t have something worth protecting on your system, you’re probably not reading this paper), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks.

Consider (seriously) regularly backing up your data to a separate disk (as a minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original; if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer, they’ll “all go together.” In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what some of the accounts we took over have done in the past – back up data to a server, but forget to back up the server itself.

Ten Ways to Dodge CyberBullets, Part 6

This is the sixth in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

6. Social networks can be very anti-social

Don’t disclose sensitive information on web sites like Facebook or LinkedIn if you can’t be sure that you can limit access to those data. Even information that in itself is innocuous can be combined with other harmless information and used in social engineering attacks.

In 2012, it’s more than likely that we’ll see increased targeting of social networks, such as Facebook, LinkedIn, Twitter in the U.S., and Orkut and Hi5 in South America. Attackers will be looking for data they can exploit from a social engineering standpoint, but they’ll also be looking for cross-site scripting and replicable malware attacks on the web sites as well as their APIs (Application Programming Interfaces).

Data mining (both legitimate and criminal) will have a wider range of effects on individuals, and some of those effects will be far from beneficial. A notable example is Facebook’s lack of commitment to a realistic security model, which would be a very significant supplement to its rather generic security center advice. It seems to me that Facebook is encouraging its users to share as much information as possible, while essentially making them responsible for the security of their own data. This isn’t unique to Facebook, of course, or even to Web 2.0 providers in general. But some such services are grooming us to accept that it’s legitimate for an ever-wider pool of data to be used to monitor our behavior. It’s becoming harder to distinguish between appropriate and illicit use of personal data, in terms of targeting both advertised content and services, and of monitoring for security purposes by financial and governmental institutions, for instance. Lines are sometimes very blurred between legitimate and criminal data mining in some of these areas, and there are questions to be asked about validation.

Privacy tends to diminish where it’s in the way of commercial rather than political interests. So, ironically enough, there will be particular and ongoing interest in data leakage where it affects public bodies, but selling of information at the backdoor by more or less legal means will continue as it always has, though it’s starting to attract some attention. This may be less true in Europe, where data protection and other directives already give some formal weight to the principle that organizations should only hold as much personal data as they need, rather than what they want. On the other hand the U.S. may eventually take more notice of this issue and the potention for change is considerable.